Go to your personal account on zakupki.gov.ru without Internet Explorer and other useful tips when working with CryptoPro

In this article I will try to summarize the experience of using CryptoPro crypto-provider to access the closed part of the official website of the unified procurement information system (zakupki.gov.ru) and the website of public services (gosuslugi.ru). The cryptographic provider itself has already become a de facto standard for state institutions, in its format it issues EDS, for example, the certification center (CA) of the Federal Treasury or CA of the Ministry of Health.

First of all, we will focus on the site zakupki.gov.ru. Personal account of this site is available only via HTTPS using GOST-encryption algorithms. For a long time, HTTPS through GOST worked only in Internet Explorer, which relied entirely on the cryptographic provider. The end came not so long ago, when the site zakupki.gov.ru discontinued support for older versions of IE, including IE8. The trouble is that IE8 is the latest version of this browser, supported in Windows XP, and government agencies are usually very conservative in terms of licensing. Thus, quite a large part of users suddenly turned out to be “overboard”.

Fortunately, the CryptoPro company releases a special build of the Firefox browser called the CryptoPro Fox (CryptoFox), which supports the GOST algorithms and works, of course, only in conjunction with the corresponding crypto-provider. There was a time when the development of the assembly almost completely ceased, but now new versions are coming out regularly. The latest build is based on Firefox 45. You can download the builds here , versions are available for Windows, Linux and even Apple OS X.

The link is available in English version of the browser. To localize it, you need to download the package with the translation interface. Please note that the version of the package must match the version of the browser itself.
')
After installing the package, you need to open a new tab, type about: config there, and in the list of parameters that opens, enter general.useragent.locale and change its value from en-US to ru-RU. After restarting the browser, the interface will be in Russian.

Now you can put the root certificate of the Federal Treasury TC in the “Trusted Root Certification Authorities” storage, the personal certificate of the user’s certificate in the Personal storage, restart the browser and enter the personal account zakupki.gov.ru by 44-FZ.



There are no valid certificates of authorized persons at my workplace, therefore access to the personal account is prohibited. However, the connection is encrypted in any case by the GOST family of algorithms.

In the case of access to the closed part of the site via 223-FZ, authorization will pass through the ESIA (that is, through the website gosuslugi.ru). Here the situation is simplified, because this site has a plugin for Firefox that has existed for a long time and is being developed by Rostelecom. When you first visit the site we will be asked to download the plugin. After installation, the plug-in should be switched to the “Always enable” mode in the CryptoFox settings, otherwise a window with a certificate request will not appear on the website of public services.



Unfortunately, the signature of documents on the site zakupki.gov.ru is implemented through a specific component sing.cab, which uses ActiveX technology. Naturally, this component will not work in CryptoPro, so we will wait for the transition to a more common technology. Fortunately, signing the document is only a small part of what the operator should do while working at zakupki.gov.ru, so CryptoFox can be used for everyday operations.

Sometimes it is necessary to keep a copy of the private key on the local computer. This can be done if the key is marked as unloading when it is created in the CA. Copying is done using the “Copy” button (which is unexpected) in the interface of the CryptoPro applet


If there are two options for storing the key on the local machine - in the “Registry” reader and on the virtual removable disk. In principle, the security of key storage in both cases is about the same, so the choice of the means remains with the reader.

In the “Registry” reader keys are stored in the branch

HKLM\SOFTWARE\Crypto Pro\Settings\Users\[SID ]\Keys
for the user and in the branch

HKLM\SOFTWARE\Crypto Pro\Settings\Keys
for the computer as a whole.

In the case of a 64-bit OS, the paths will be slightly different:

HKLM\SOFTWARE\Wow6432Node\Crypto Pro\Settings\Users\[SID ]\Keys
and

HKLM\SOFTWARE\Wow6432Node\Crypto Pro\Settings\Keys

When running CryptoPro on a terminal server, the user may not have enough rights to write the key to these branches, since they are not in the user profile. This situation can be corrected by assigning appropriate rights to the branches through the Regedit utility.

CryptoPro searches for key containers on disks that have the attribute “removable”, that is, a flash disk or, forgive my God, the diskette will be considered key containers, but a network disk or a disk thrown through RDP will not. This allows you to store keys on floppy images on the principle of one key - one floppy disk and thereby increase security. To create a virtual drive, you can use the ImDisk utility, which has a version for 64-bit operating systems. Declared compatibility with Windows up to 8.1, works fine in Windows 10.



There is also a utility Virtual Floppy Drive (VFD) , in which you can create a drive that is visible only to a specific user. Unfortunately, it has not been developed for a long time, and it seems it will not work on 64-bit OS due to an unsigned driver.

Applying these tips and not forgetting the Provision PKZ-2005 , which, however, is advisory in nature, it is possible to somewhat ease the life of both operators working on procurement sites and themselves.